Page 1 of 1

User Sets Arbitrary Data on Page, but Only they can View it?

Posted: Tue Apr 19, 2005 9:34 pm
by Ambush Commander
I've often heard that JavaScript is a tool of evil, but I've never exactly known the full capabilities of it's evilness.

What I'd like to know is what damage a person could do if this happened:

We have a page, that accepts POST parameters, and then outputs them onto the page without cleaning them (it doesn't do anything else with them). That means that the user can put arbitrary data on the page, but no one else can view it. Is this a security hazard? And if so, how would one exploit it?

Posted: Tue Apr 19, 2005 11:34 pm
by feyd
extremely dependant on page code and data handling.

Posted: Wed Apr 20, 2005 5:03 pm
by Ambush Commander
Sooo....

Code: Select all

<?php

echo $_POST['user'];

?>
would be "relatively" safe?

Posted: Wed Apr 20, 2005 5:38 pm
by John Cartwright
That is asking for trouble...
I cannot stress enough how important sanitizing user input can be.

Posted: Wed Apr 20, 2005 6:51 pm
by Ambush Commander
I know. ;)

The main question is, however, can the contents of a webpage be manipulated so that even people who are not viewing the page are affected?

Posted: Wed Apr 20, 2005 7:34 pm
by feyd
the "example" you used, would generally suggest no.. however if there are any security holes introduced via php initialization directives or php's core itself, then yes.. But since I didn't write the code, nor do I have the time or care to make massive security passes at it.... :?